---
id: aws-privatelink
title: Private Connectivity - AWS PrivateLink
sidebar_label: AWS PrivateLink
description: Secure your Temporal Cloud connections using AWS PrivateLink.
slug: /cloud/security/aws-privatelink
toc_max_heading_level: 4
keywords:
  - privatelink
  - private connectivity
  - security
  - temporal cloud
  - aws
tags:
  - Security
  - Temporal Cloud
  - AWS
---

#### AWS PrivateLink

[AWS PrivateLink](https://aws.amazon.com/privatelink/) allows you to open a path to Temporal without opening a public egress.
It establishes a private connection between your Amazon Virtual Private Cloud (VPC) and Temporal Cloud.
This one-way connection means Temporal cannot establish a connection back to your service.
This is useful if normally you block traffic egress as part of your security protocols.
If you use a private environment that does not allow external connectivity, you will remain isolated.

:::note

If you are interested in leveraging AWS PrivateLink in your Namespaces, [create a support ticket](/cloud/support#support-ticket) that includes the following information:

- AWS Region: The Region in which your connection will go through.
- AWS Account Id: The account which contains the permissions to enable AWS PrivateLink.
- Temporal Cloud Namespace names: The name of the Namespaces you want to enable AWS PrivateLink with.

:::

Set up PrivateLink connectivity with Temporal Cloud with these steps:

1. Open the AWS console with the region you want to use to establish the PrivateLink.
2. Search for "VPC" in _Services_ and select the option.

   ![AWS console showing services, features, resources](/img/aws-privatelink/aws-console.png)
3. Select _Virtual private cloud_ > _Endpoints_ from the left menu bar.
4. Click the _Create endpoint_ button to the right of the _Actions_ pulldown menu.
5. Under _Service_ category, select _Other endpoint services_.
   This option lets you find services shared with you by service name.
6. Under _Service settings_, fill in the _Service name_ with the PrivateLink Service Name for the region you’re trying to connect from:

   | Region           | PrivateLink Service Name                                       |
   | ---------------- | -------------------------------------------------------------- |
   | `ap-northeast-1` | `com.amazonaws.vpce.ap-northeast-1.vpce-svc-08f34c33f9fb8a48a` |
   | `ap-northeast-2` | `com.amazonaws.vpce.ap-northeast-2.vpce-svc-08c4d5445a5aad308` |
   | `ap-south-1`     | `com.amazonaws.vpce.ap-south-1.vpce-svc-0ad4f8ed56db15662`     |
   | `ap-south-2`     | `com.amazonaws.vpce.ap-south-2.vpce-svc-08bcf602b646c69c1`     |
   | `ap-southeast-1` | `com.amazonaws.vpce.ap-southeast-1.vpce-svc-05c24096fa89b0ccd` |
   | `ap-southeast-2` | `com.amazonaws.vpce.ap-southeast-2.vpce-svc-0634f9628e3c15b08` |
   | `ca-central-1`   | `com.amazonaws.vpce.ca-central-1.vpce-svc-080a781925d0b1d9d`   |
   | `eu-central-1`   | `com.amazonaws.vpce.eu-central-1.vpce-svc-073a419b36663a0f3`   |
   | `eu-west-1`      | `com.amazonaws.vpce.eu-west-1.vpce-svc-04388e89f3479b739`      |
   | `eu-west-2`      | `com.amazonaws.vpce.eu-west-2.vpce-svc-0ac7f9f07e7fb5695`      |
   | `sa-east-1`      | `com.amazonaws.vpce.sa-east-1.vpce-svc-0ca67a102f3ce525a`      |
   | `us-east-1`      | `com.amazonaws.vpce.us-east-1.vpce-svc-0822256b6575ea37f`      |
   | `us-east-2`      | `com.amazonaws.vpce.us-east-2.vpce-svc-01b8dccfc6660d9d4`      |
   | `us-west-2`      | `com.amazonaws.vpce.us-west-2.vpce-svc-0f44b3d7302816b94`      |

7. Confirm your service by clicking on the _Verify service_ button. AWS should respond "Service name verified."

   ![The service name field is filled out and the Verify service button is shown](/img/aws-privatelink/service-settings.png)
8. Select the VPC and subnets to peer with the Temporal Cloud service endpoint.
9. Select the security group that will control traffic sources for this VPC endpoint.
   The security group must accept TCP ingress traffic to port 7233 for gRPC communication with Temporal Cloud.
10. Click the _Create endpoint_ button at the bottom of the screen.
    If successful, AWS reports "Successfully created VPC endpoint." and lists the new endpoint.
    The new endpoint appears in the Endpoints list, along with its ID.

    ![The created endpoint appears in the Endpoints list](/img/aws-privatelink/endpoint-created.png)
11. Click on the VPC endpoint ID in the Endpoints list to check its status.
    Wait for the status to be “Available”.
    This can take up to 10 minutes.
12. Once available, you can use AWS PrivateLink.
    Use the first value under “DNS names” as your hostname to connect to Temporal Cloud using port 7233.
    To establish a valid mTLS session, you must override the TLS server name used for the connection to `<namespace_id>.<account_id>.tmprl.cloud`.

    ![Highlighted DNS names section shows your hostname](/img/aws-privatelink/details.png)

You are ready to start using Private Link with Temporal Cloud.

:::tip

PrivateLink endpoint services are regional.
Individual Namespaces do not use separate services.

:::

Once set up, you can test your PrivateLink connectivity using the following methods.
When connecting, you must override the TLS server name to target your Namespace’s individual hostname (`<namespace_id>.<account_id>.tmprl.cloud`) to establish a valid mTLS session:

- The Temporal CLI, using the `--tls-server-name` parameter to override the TLS server name. For example:

  ```
  temporal workflow count \
      --address <DNS associated with VPC endpoint>:7233 \
      --tls-cert-path /path/to/client.pem \
      --tls-key-path /path/to/client.key \
      --tls-server-name <namespace_id>.<account_id>.tmprl.cloud \
      --namespace <namespace_id>.<account_id>
  ```

- Non-Temporal tools like grpcURL, useful for testing from environments that restrict tool usage, using the `-servername` parameter to override the TLS server name. For example:

  ```
  grpcurl \
      -servername <namespace_id>.<account_id>.tmprl.cloud \
      -cert /path/to/client.pem \
      -key /path/to/client.key \
      <DNS ASSOCIATED WITH VPC ENDPOINT>:7233 \
      temporal.api.workflowservice.v1.WorkflowService/GetSystemInfo
  ```

- Temporal SDKs, by setting the endpoint server address argument to the PrivateLink endpoint (`<DNS associated with VPC endpoint>:7233`) and using the TLS configuration options to override the TLS server name.
